Dailydave mailing list archives
Re: Dreaming of Summer
From: surreal () delusory org
Date: Sat, 6 Dec 2003 10:16:21 -0700
David Maynor wrote:
On Sat, 2003-12-06 at 01:57, surreal () delusory org wrote:For your consideration: Thoughts on a Virtual Multi-Bird Projectile Dave's list may not be the right forum for this idea, but I like to think that the right people might see this (and it's only one message, so here goes). I'd like to address two problems and promote Good Clean Fun at the same time. Problem one: Redhat; RHN; EOL. A large but unknown (to me) number of Redhat boxes running 7.3 through 9 are about to be left to their own devices for bugfixes and security updates. Redhat hasn't seemed very excited about helping these soon-to-be-stranded sysadmins. "Buy our pricey distro and reinstall all your boxes" or "run Fedora and dwell forever in Beta Hell" just don't make me feel, uh, loved and valued. I *liked* up2date.Debian. Debian fixes all.
In my case RHES fixes all, but there's still a big population in the Unpatched-Masses-wearing-a-KickMe-sign camp. I'm thinking along the lines Phil suggested. Change the fundamental rules of the game to be attack oriented, or have Attack teams and Admin teams (that's starting to get kinda cluttered tho). My assumption is that within 6 months, possibly three, there'll be known holes. Award points (panel of judges?) on the "elegance", stealth and/or realworld applicability of attacks. A remote root would be worth more than local root; remote unpriv'd shell worth way more than simply killing a service; killing a service with a single packet more than flooding something 'til it pukes. Not leaving messy syslog traces would give Elegance points. Hell, maybe by then Microsoft will have ported Outlook Express to Linux and make root-via-spam a reality. Make CTF a ninja contest instead of it's current state. If it was managed right, it'd also give the winner(s) significant media coverage and RH some much needed (IMO) public scolding. ZD: He has the 'leet Ninja 5k1llz to launch Digital Pearl Harbor, but this studly "White Hat" hacker uses his powers for the good of all mankind! Ooooh! You know in your heart it's true... Surreal
Problem two: CTF got boring. To quote Dave, from 8/5/2003:... Also, I admit it WAS a sysadmin game, but CTF should not be. If we're going to make it Defend The Flag, then just have another game. You need to make it a game where offense matters. Otherwise you just have everyone hunkered around doing defense, like this and every other year. Did the winning team write any exploits? I don't think they did. What does that say?My proposal is this: CTF - Dead Hat Edition 2004 Is it just me, or is that catchy? That is, of course, assuming a DC XII. :-| By July, 7.3 and 8 will have been orphaned for 6 months, Redhat 9 for at least 3. How fast does a Linux distro go stale? Is someone holding off on the next big remote r00t until next year? How many ways will there be to r00t that "unknown number of boxes"? Who is this man of toast, and what is his dark secret? I propose that the nodes for CTF be Redhat boxes patched up to their EOL date like any happy RHN-using box. I'm a defender, not a sploit coder so I leave the difficult details of play and scoring to the Smart Folks. I'd like to think that just maybe an event like CTF-DH could prod Redhat to do a little more for the people they're leaving behind. Maybe host a "community supported" alternative to RHN? Anything's better than what we've got right now. Maybe they'd ignore the whole thing... If the results of the competition were documented, at least people would know where some of the holes are(?) Yeah, it *could* backfire and turn into a primer for a Redhat holocaust. The way things are going though, 2004 could be the year Linux gets the reputation for being r00ted as readily as Windows. That'd suck, IMO.This will still fall back to sysadmin games. I want to see a free for all, you are give a kernel the week before and you have to build your own distro out of it. You then take that distro and defend/attack other people. CTF is getting boring as long as it remains a sysadmin game.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Dreaming of Summer surreal (Dec 05)
- Re: Dreaming of Summer David Maynor (Dec 05)
- <Possible follow-ups>
- RE: Dreaming of Summer Brass, Phil (ISS Atlanta) (Dec 06)
- RE: Dreaming of Summer David Maynor (Dec 06)
- Re: Dreaming of Summer surreal (Dec 06)
- Re: Re: Dreaming of Summer David Maynor (Dec 06)
- RE: Dreaming of Summer Kohlenberg, Toby (Dec 06)
- Re: Dreaming of Summer Dave Aitel (Dec 06)
- RE: Dreaming of Summer Brass, Phil (ISS Atlanta) (Dec 06)
- RE: Dreaming of Summer David Maynor (Dec 06)
- Re: Dreaming of Summer Tri Huynh (Dec 06)
- Re: Dreaming of Summer Dave Aitel (Dec 06)
- Re: Dreaming of Summer David Maynor (Dec 06)
- Re: Dreaming of Summer Sean Batt (Dec 06)
- Re: Dreaming of Summer David Maynor (Dec 06)
- RE: Dreaming of Summer David Maynor (Dec 06)